The Utah Department of Technology Services and the Utah Department of Health revealed Friday that they’d suffered an attack from apparent Eastern European hackers who accessed and pilfered the personal information from 181,604 Medicaid and CHIP (Children’s Health Insurance Plan) records. Wednesday, the UDOH claimed the breach was limited to only about 24,000 claims; but further investigation revealed that it was 24,000 files removed with at least one file containing information on hundreds of individuals.

“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” said Michael Hales, deputy director of the Health Department. “But we also hope they understand we are doing everything we can to protect them from further harm.”

According to sources regarding the event, what would have been a multifactor authentication to access the server—which is now shut down pending investigation and fixing the breach—was circumvented by the hackers via a configuration error.

This is a gigantic problem, especially looking at the type of information stored and the confidential and personal value of the data. Worse, because this data is stored in a high enough density and in one place, all it takes is one person to circumvent (or simply gain access to the storage) to take all of it away. That the State of Utah government doesn’t have a proprietary encryption policy shows that they haven’t thought thoroughly about the cybersecurity of their citizens’ personal information.

Medical information is particularly low-hanging fruit for criminals and since it’s tightly connected to identity theft and medical fraud (even Medicaid fraud) it needs to be treated as a valuable and targetable commodity.

If this data were encrypted and the authentication failed at least the hackers would have only gotten an encrypted file, potentially discouraging them from attempting to steal it or ideally making it too expensive for them to break it open.

Keeping sensitive files encrypted won’t protect institutions from getting breached; but it’s still the best practice we have to help limit the scope and damage of that breach. Why more state departments—especially those who deal in extremely sensitive information like the medical profession—haven’t gotten on the ball and started this a as a matter of course shows that the nation really needs to wake up about security.